CVE-2026-22713
Unknown Unknown - Not Provided

Cross-Site Scripting in Mediawiki GrowthExperiments Extension

Vulnerability report for CVE-2026-22713, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-09

Last updated on: 2026-02-12

Assigner: wikimedia-foundation

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-09
Last Modified
2026-02-12
Generated
2026-07-06
AI Q&A
2026-01-09
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
growth growthexperiments 1.39
growth growthexperiments 1.43
growth growthexperiments 1.44
growth growthexperiments 1.45

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-22713 is a stored Cross-Site Scripting (XSS) vulnerability in the GrowthExperiments extension of MediaWiki. It occurs because the extension inserts parsed, user-controlled wikitext into autocomments that appear in edit summaries without proper escaping. This allows any user with edit permissions to inject malicious scripts that execute when the edit summaries are rendered in various parts of the interface, such as page history and recent changes. The root cause is the unsafe use of parsed HTML messages with user-supplied parameters, enabling script injection. [1]

Impact Analysis

This vulnerability can allow an attacker with edit permissions to inject and execute arbitrary JavaScript code in the context of users viewing edit summaries. This can lead to session hijacking, defacement, or other malicious actions performed on behalf of the victim user. Since the malicious scripts execute in various UI components displaying edit summaries, it can affect multiple users and compromise the integrity and security of the MediaWiki installation. [1]

Detection Guidance

This vulnerability can be detected by attempting to reproduce the stored XSS attack in the GrowthExperiments extension. Specifically, you can test if user-controlled wikitext is improperly escaped in edit summaries by following these steps: 1. Create a template named `Template:AutocommentPayload` containing the payload `<pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre>`. 2. Edit an existing page and set the edit summary to `/*growthexperiments-manage-mentors-summary-add-admin-no-reason:{{AutocommentPayload}}*/`. 3. View the changes or page history to see if the payload executes (e.g., an alert box appears). This confirms the presence of the vulnerability. There are no specific network commands provided, but manual testing via the MediaWiki UI or automated scripts simulating these steps can detect the issue. [1]

Mitigation Strategies

Immediate mitigation steps include: 1. Apply the official patches that escape system messages used in edit summaries to prevent script injection. These patches were merged across multiple branches and deployed in the December 1, 2025 security deployment window. 2. Restrict or review permissions for users with the `editinterface` permission, as only users with this permission can exploit the vulnerability. 3. Avoid using affected versions of the GrowthExperiments extension (1.39, 1.43, 1.44, 1.45) and upgrade to a fixed version such as MediaWiki 1.46.0-alpha with the patched extension. 4. Monitor edit summaries and related UI components for suspicious scripts or payloads until the patch is applied. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart